Help Me Understand ACLs please

Wisdom

Explorer
Joined
Oct 15, 2016
Messages
71
I'm absolutely pulling my hair out, after combing the documentation.

I've expanded my storage with an additional pool, with the intention of migrating my media from my old pool tank to a new pool lav. All my jails are still running on tank, and I thought it would be as simple as adjusting their mount points and tinkering with permissions. Along the way, I thought it would be prudent to jump from 11.2 to 11.3, and am now up to date on 11.3-U5.

Really thought that I had a handle on this, after a dozen previous attempts at tinkering with FreeNAS permissions. Here's what I tried:

- combed my jails for UIDs and created the relevant users
- hijacked the existing media group and added my new users
- added my storage. Created a pool (lav), and a dataset (media) on said pool. /mnt/lav/media looks great.
- got lost in ACLs. Adjusted the ACL of the dataset to root/media, with full control and inherited permissions

After moving my media, I can browse the share just fine: /mnt/lav/media/ has all the relevant folders: tv shows, movies, music, etc. All my media. I can even play directly off the share, via windows.
However, nothing else can touch it. From the command line, I can jump into Plex's iocage and cd to where the data is mounted - exactly as it's established in the mount point - and read through the files. ls -l shows that the media group that Plex is a part of owns the files, but the actual application has no idea that /mnt/lav/ even exists.
Thinking that perhaps it was a group issue, I added an additional ACL for one user specifically and still can't get it to see what's going on. I feel like I've either got the GUIs all wrong, or have absolutely no grasp on how ACLs are supposed to work.

What am I doing wrong?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,553
I'm absolutely pulling my hair out, after combing the documentation.

I've expanded my storage with an additional pool, with the intention of migrating my media from my old pool tank to a new pool lav. All my jails are still running on tank, and I thought it would be as simple as adjusting their mount points and tinkering with permissions. Along the way, I thought it would be prudent to jump from 11.2 to 11.3, and am now up to date on 11.3-U5.

Really thought that I had a handle on this, after a dozen previous attempts at tinkering with FreeNAS permissions. Here's what I tried:

- combed my jails for UIDs and created the relevant users
- hijacked the existing media group and added my new users
- added my storage. Created a pool (lav), and a dataset (media) on said pool. /mnt/lav/media looks great.
- got lost in ACLs. Adjusted the ACL of the dataset to root/media, with full control and inherited permissions

After moving my media, I can browse the share just fine: /mnt/lav/media/ has all the relevant folders: tv shows, movies, music, etc. All my media. I can even play directly off the share, via windows.
However, nothing else can touch it. From the command line, I can jump into Plex's iocage and cd to where the data is mounted - exactly as it's established in the mount point - and read through the files. ls -l shows that the media group that Plex is a part of owns the files, but the actual application has no idea that /mnt/lav/ even exists.
Thinking that perhaps it was a group issue, I added an additional ACL for one user specifically and still can't get it to see what's going on. I feel like I've either got the GUIs all wrong, or have absolutely no grasp on how ACLs are supposed to work.

What am I doing wrong?
Let's start by getting the lay of the land permissions-wise. What's the output of the following commands:
getfacl /mnt/lav
getfacl /mnt/lav/media
getfacl /mnt (jail)
getfacl /mnt/lav (jail)
id plex (jail)
 

Wisdom

Explorer
Joined
Oct 15, 2016
Messages
71
Sorry for the delay, I was away for Christmas. I really do appreciate the quick reply, wish I could have responded in kind!

getfacl /mnt/lav yields:
Code:
# file: /mnt/lav
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow


getfacl /mnt/lav/media
Code:
# file: /mnt/lav/Media
# owner: root
# group: media
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         user:plex:rwxpDdaARWcCos:fd-----:allow
         everyone@:--------------:fd-----:allow

As a quick holiday hack, I tried adding the plex user to the ACL. Seemed to work, and that's why it's appearing in that list. That trick has not been successful with other users. Furthermore, removing the one-off ACL listing makes the permissions nightmares come back.

getfacl /mnt/tank/iocage/jails/plex
Code:
# file: /mnt/tank/iocage/jails/plex
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

Was that what you were after? Not sure I know enough to follow properly - sorry if I missed the mark.

getfacl /mnt/lav(jail) doesn't exist. The entire contents of that directory is the media folder.

id plex
Code:
 
uid=972(plex) gid=1001(Wisdom) groups=1001(Wisdom),8675309(media)

I'm guessing this is calling up the user that I created manually? Either that, or I actually retrieved the UID correctly from inside the jail.

Lidarr is the biggest troublemaker at the moment - it doesn't seem to believe that the jail's mounted point in /mnt/lav/media actually exists, and is where I'm not able to repeat the one-off ACL listing trick.
 

Wisdom

Explorer
Joined
Oct 15, 2016
Messages
71
To bump this, I think I've got a bit of an update. To get my jails to work as expected, I've needed to add them manually to the ACL. It feels hacky, but it's getting the job done. I'd still like to know why adding them to a group and assigning the group permissions didn't work, but that's an issue for another day. I'd like to get everything mostly working before I try breaking it again.

My biggest issue is getting lidarr to manage my music. It's got an appropriate user, is a member of the the aforementioned group, and has user-specific ACL permissions. However, even though I can navigate quite successfully to the mounted folder myself, lidarr doesn't believe it's local mount point (inside the jail) exists.

While connected to the destination folder, it refuses to acknowledge that it exists. A read problem, before anything more. What's odd to me is that when the destination folder is disconnected, it's fine. It can find the local mount point, I can set the path even, but as soon as the destination is added on the other side it's invisible again.

Is this an issue with the local permissions, or the destination one? I've gone so far as to set lidarr as the owner of the local folder, and I think I've set it to have Full Access via the ACL of the destination as well.

My last concern is that I've got lidarr's UID wrong. I took pains to set it both within and without the jail, but I'm not sure how to track down what it might actually be running as. Displaying awk -F":" '{print $0 $1 $2}' /etc/passwd/ isn't showing me what I need - I think it's just what I set before, reflected back. Either that, or I really do have it right and it's broken in a way I can't even imagine.
 

ChrisRJ

Wizard
Joined
Oct 23, 2020
Messages
1,919
I'd still like to know why adding them to a group and assigning the group permissions didn't work, but that's an issue for another day. I'd like to get everything mostly working before I try breaking it again.
Are the IDs of users and groups the same between your main system and the jail? *nix systems use the ID and not the name to determine membership.
 

Wisdom

Explorer
Joined
Oct 15, 2016
Messages
71
Are the IDs of users and groups the same between your main system and the jail? *nix systems use the ID and not the name to determine membership.
I think so. That's what I was trying to get at, and failing to communicate. For additional clarification, plex is registered as 972 in both the FreeNAS GUI, as well as within its own jail. That's been the pattern I've followed (or tried to) throughout.

Running awk -F":" '{print $0 $1 $2}' /etc/passwd/ shows lidarr 353 both within and without. However, since I manually added the lidarr user outside the jail and - if I remember rightly - internally as well, that numerical value might be incorrect. That's my concern.

I also haven't been able to track down a third-party, objective source that can tell me what, if anything, it's supposed to be. I found a github thread where some of the devs stated on unix systems, the IDs are generated after install. I have no idea if that's right, but doesn't jive with my understanding of other programs. Some guides for more popular programs (plex, etc) have the UIDs pre-determined, so that setting up permissions is less of a nightmare.

E: little additional realization: windows permissions (browsing folder sercurity) shows that the manually added users - plex, lidarr, etc - have their full permissions, just as specified. However, the media usergroup only has "special permissions." I'm both not clear on what that means, or why it's set that way - the ACL is configured for
Code:
Who: group@
ACL Type: Allow
Permission: Basic
Permissions: Full Control
Flag Type: Basic
Flags: Inherit

Which is exactly the same as the rest of the manually added users.
 
Last edited:
Top